Generic
[edit]
Why to use OpenVPN ?
OpenVPN has been ported to various platforms, including Linux and Windows, and it's configuration is throughout likewise on each of these systems, so it makes it easier to support and maintain. Also, OpenVPN is one of the few VPN protocols that can make use of a proxy, which might be handy sometimes.
[edit]
Download OpenVPN
Debian provides OpenVPN packages as part of the standard distribution, just install them by typing apt-get install openvpn.
For a server, you want additionally to install the openssl package.
For easy client access, you would want to install network-manager, network-manager-openvpn and network-manager-gnome or network-manager-kde. This is a nice gui for handling wired and wireless network connections, connections via openvpn and cisco vpn (vpnc) and ppp connections (like a regular or 3g modem for example).
RouterOS requires v3.x and you will need to install and enable the ppp package. There is one limitation to using OpenVPN on the RouterOS platform: currently only tcp is supported. udp will not work.
For Windows you probably also want the GUI, that allows you to choose and activate certain VPN configuration from a simple click in the systray. A complete package for installation of OpenVPN incl. OpenVPN GUI can be downloaded at http://www.openvpn.se/download.html .
[edit]
Certificates
OpenVPN works with SSL certificates. You can either use http://cacert.org to issue these or use the easy-rsa scripts, that come with most OpenVPN distributions. In Debian these scripts can be found in the directory /usr/share/doc/openvpn/examples/easy-rsa. Please read the README.gz file for the usage. On RouterOS, all you have to do is to upload them via ftp (ca certificate and router certificate and private key) and import them with /certificate import .
[edit]
Naming Linux/Windows vs. RouterOS
There are two interface types within OpenVPN, that are used.
tun, RouterOS defines this as ip.
tap, which is needed for bridge mode gateways. RouterOS defines this as ethernet.
[edit]
A few comments
The configuation files here are fully layed out for Debian and Ubuntu. If you're using something else, you'll have to do your own research, what you need. Hope they'll give a guideline.
[edit]
Server configuration
[edit]
Seperate segment for VPN and destination network
[edit]
RouterOS
[edit]
The network configuration of your box:
/ip address add address=10.15.30.31/24 interface=ether1 comment=Lan
/ip address add address=189.64.0.2/24 interface=ether2 comment=Internet
/ip route add dst-address=10.0.0.0/8 gateway=10.15.30.5 comment=Wan
/ip route add gateway=189.64.0.1 comment=Internet
Lan and Wan are the internal networks, Internet is obviously the Internet.
If NAT/masquerading is needed, this will do the job:
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade
[edit]
Define an IP pool:
/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38
This pool is used for the OpenVPN clients.
[edit]
Define a profile:
/ppp profile
add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
[edit]
Add a vpn user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
[edit]
OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no
Bug: There is currently a bug in the implementation of OpenVPN in RouterOS, so require-client-certificate has to be set to no. Otherwise you'll end up with TLS errors.
[edit]
Firewall
If you have a firewall defined, that denies access, you would want to allow access to OpenVPN:
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
[edit]
Default Route
I haven't figured out, how to redistribute the default route from the OpenVPN server, so you'll have to add it yourself on the client by specifying the add-default-route option (if you have a RouterOS client).
If you have a Linux or a Windows client, you can use the route-up dyrective. Place it on your OpenVPN configuration (client) file with a command in append, and OpenVPN will execute it when the default route comes up.
For example, if you want to add a static route for 192.168.0.0 (obviously this net are on the remote side) through your OpenVPN gateway (IP 10.15.30.31), you have to add for Linux:
route-up "route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.30.31"
or, for Windows:
route-up "route add 192.168.0.0 mask 255.255.255.0 10.15.30.31"
[edit]
Linux
/etc/network/interfaces:
iface eth0 inet static
address 10.15.30.31
netmask 255.255.255.0
network 10.15.30.0
broadcast 10.15.30.255
up /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.15.30.5
#
iface eth1 inet static
address 189.64.15.2
netmask 255.255.255.0
gateway 189.64.15.1
up echo "1" > /proc/sys/net/ipv4/ip_forward
eth0 is the network, that we want to get access to. eth1 is our outside interface.
/etc/openvpn/gw.conf:
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/vpngate.crt
key keys/vpngate.key
dh keys/dh1024.pem
server 10.15.32.32 255.255.255.224
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher none
#comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/vpngate-status.log
verb 3
If you want to push a route to the client, this can be added:
push "route 10.0.0.0 255.0.0.0 10.15.32.33"
For a default gw to the client, usually, this is added:
push "redirect-gateway"
With RouterOS, this has no effect, whatsover, so if you want to push the default route from the server, please add:
push "route 0.0.0.0 0.0.0.0 10.15.32.33"
And to tell the client, what DNS servers to use, this will do the job:
push "dhcp-option DNS 10.15.15.10"
push "dhcp-option DNS 10.15.30.10"
[edit]
Bridge mode
[edit]
RouterOS
[edit]
Create the bridge
/interface bridge add name=vpn-bridge
/interface bridge port add interface=ether1 bridge=vpn-bridge
[edit]
The network configuration of your box:
/ip address add address=10.15.30.31/24 interface=vpn-bridge comment=Lan
/ip address add address=189.64.0.2/24 interface=ether2 comment=Internet
/ip route add dst-address=10.0.0.0/8 gateway=10.15.30.5 comment=Wan
/ip route add gateway=189.64.0.1 comment=Internet
Lan and Wan are the internal networks, Internet is obviously the Internet.
If NAT/masquerading is needed, this will do the job:
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade
[edit]
Define an IP pool:
/ip pool add name=ovpn-pool ranges=10.15.30.32-10.15.30.40
This pool is used for the OpenVPN clients.
[edit]
Define a profile:
/ppp profile
add change-tcp-mss=default comment="" bridge=vpn-bridge \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
[edit]
Add a vpn user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
[edit]
OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ethernet netmask=24 \
port=1194 require-client-certificate=no
Before using require-client-certificate option, CA and correct server/client certificate must be imported to both OpenVpn server and client.
[edit]
OpenVPN server Instance
At the moment, it looks like, that even though we've specified the vpn-bridge in the profile, RouterOS does not honour that fact. So we need to add a OpenVPN server Instance ourselfes for each user and add it to the bridge. (Not required after RC11).
/interface ovpn-server add name=ovpn-username user=username
/interface bridge port add interface=ovpn-username bridge=vpn-bridge
This will result in, that the dynamically created openvpn server instance automatically get's assigned to this interface and thus the bridge.
[edit]
Firewall
If you have a firewall defined, that denies access, you would want to allow access to OpenVPN:
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
[edit]
Default Route
I haven't figured out, how to redistribute the default route from the OpenVPN server, so you'll have to add it yourself on the client by specifying the add-default-route option (if you have a RouterOS client).
If you have a Linux or a Windows client, you can use the route-up dyrective. Place it on your OpenVPN configuration (client) file with a command in append, and OpenVPN will execute it when the default route comes up.
For example, if you want to add a static route for 192.168.0.0 (obviously this net are on the remote side) through your OpenVPN gateway (IP 10.15.30.31), you have to add for Linux:
route-up "route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.30.31"
or, for Windows:
route-up "route add 192.168.0.0 mask 255.255.255.0 10.15.30.31"
[edit]
Linux
[edit]
Packages
These packages are needed: openvpn bridge-utils openssl
[edit]
Configuration
The configuration bits here are needed to set up a bridged gateway.
/etc/network/interfaces:
auto eth0 eth1 br0
# WAN interface
iface eth0 inet static
address 10.15.30.31
netmask 255.255.255.0
network 10.15.30.0
broadcast 10.15.30.255
post-up route add -net 10.0.0.0/8 gw 10.15.30.5
# Internet interface
iface eth1 inet static
address 189.64.15.2
netmask 255.255.255.252
gateway 189.64.15.1
dns-nameservers 195.222.111.222 80.190.248.148 91.189.64.189
pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
up /sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
down /sbin/iptables -t nat -F
post-down echo 0 > /proc/sys/net/ipv4/ip_forward
# OpenVPN interface
iface br0 inet manual
up openvpn --mktun --dev tap0
up ifconfig eth0 0.0.0.0 promisc up
up ifconfig tap0 0.0.0.0 promisc up
up brctl addbr br0
up brctl setfd br0 0
up brctl stp br0 off
up brctl addif br0 eth0
up brctl addif br0 tap0
up ifconfig br0 10.15.30.31 netmask 255.255.255.0 up
up route add -net 10.0.0.0/8 gw 10.15.30.5
down ifconfig br0 down
down brctl delif br0 tap0
down brctl delif br0 eth0
down brctl delbr br0
down openvpn --rmtun --dev tap0
down ifconfig eth0 10.15.30.31 netmask 255.255.255.0 broadcast 10.15.30.255 network 10.15.30.0
down route add -net 10.0.0.0/8 gw 10.15.30.5
/etc/openvpn/bridge-gw.conf
port 1194
proto udp
dev tap0
ca keys/ca.crt
cert keys/bridge-gw.crt
key keys/bridge-gw.key
dh keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.15.30.31 255.255.255.0 10.15.30.100 10.15.30.119
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status-gw.log
verb 3
If you want to push a route to the client, this can be added:
push "route 10.0.0.0 255.0.0.0 10.15.30.5"
For a default gw to the client, usually, this is added:
push "redirect-gateway"
With RouterOS, this has no effect, whatsover, so if you want to push the default route from the server, please add:
push "route 0.0.0.0 0.0.0.0 10.15.32.33"
And to tell the client, what DNS servers to use, this will do the job:
push "dhcp-option DNS 10.15.15.10"
push "dhcp-option DNS 10.15.30.10"
[edit]
Client configuration
[edit]
RouterOS
[edit]
client of a routed server (tun)
/interface ovpn-client \
name="ovpn-out1" connect-to=189.64.0.1 port=1194 mode=ip user="username" password="password" profile=default \
certificate=vpngate-client cipher=aes256 add-default-route=no
[edit]
client of a bridged server (tap)
/interface ovpn-client \
name="ovpn-out1" connect-to=189.64.0.1 port=1194 mode=ethernet user="username" password="password" profile=default \
certificate=vpngate-client cipher=aes256 add-default-route=no
[edit]
Linux
[edit]
client of a routed server (tun)
dev tun
proto tcp-client
remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-client
port 1194
user nobody
group nogroup
#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)
# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Silence the output of replay warnings, which are a common false
# alarm on WiFi networks. This option preserves the security of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings
# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
username
password
[edit]
client of a bridged server (tap)
Please replace dev tun with dev tap. Otherwise the configuration on the bridged client is exactly the same as the routed client.
[edit]
Windows
[edit]
client of a bridged server (tap)
proto tcp-client
remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address
dev tap
nobind
persist-key
tls-client
ca ca.crt # Root certificate in the same directory as this configuration file.
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
username
password
Alternatively, if you don't specify the filename the client will prompt for the details.
[edit]
Additional tweaks
[edit]
Disable encryption
If you just want to use OpenVPN for providing people with access to the internet through the WAN, encryption just adds overhead to the traffic. In this case it really isn't needed and would just affect the bandwidth available in the WAN.
Add this to your configuration:
cipher none
This should be done both on server and clients. It disables the encryption and leaves you with a plain, unencrypted ip tunnel.
For RouterOS the syntax is:
/interface ovpn-[client|server] set
Selasa, 08 April 2008
OpenVPN
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar